Don’t let your clients get caught paying a “big” settlement for failing to report a HIPAA breach! For the first time, the Office of Civil Rights (OCR) has announced a HIPAA settlement with a provider who failed to provide a timely breach report.

Presence Health, a health network serving Illinois with approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities, has been ordered to pay a $475,000 HIPAA settlement and being directed to implement a corrective action plan because it failed to report a breach in a timely manner. The breach involving missing paper operating room schedules containing 836 individual’s protected health information (PHI) that took place on October 22, 2013. Presence did not report the breach to the OCR or notify the affected individuals until January 31, 2014. Due to the size of the breach (which affected more than 500 individuals), Presence had an obligation to notify the affected individuals and the OCR, without unreasonable delay and within 60 days of the breach. The notification of the affected individuals also was required to include notification to prominent media outlets, which was not done within the 60 days. OCR Director Jocelyn Samuels was quoted as saying “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” and “individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.” The OCR is making a clear statement that it takes timely breach reporting seriously. Health care and other entities subject to HIPAA need to be aware of how seriously the OCR considers timely breach notification.

If you have health care clients in need of assistance with such HIPAA policies and procedures to respond to the Breach Notification Rule, we can help. Please let us know if you have any questions or we can be of further assistance.